[unisog] [Fwd: Is the current password std flawed?]

Tom Perrine tperrine at scea.com
Fri Feb 25 15:58:23 GMT 2005


Brown, Matthew A. writes:
 > .... and hopefully these problems will all be resolved in the next 3-7
 > years by affordable, reliable biometric solutions.
 > 
 > Matthew Brown
 > High Point University

Do not think that biometrics is a silver bullet for authentication.
Just as there are bad password-based solutions, there are bad
biometric solutions.  (There are good ones, but they are at least as
rare as "good" password solutions.)

Consider: If your text password is stolen, you can change it.  If your
handheld token is stolen, you can "expire" it and replace it.

What if the digitized format of your fingerprint is stolen, say, from
an unencrypted link between a reader and database, or even by the
"superglue" method.

How do you change your fingerprint?  It is a reusuable plaintext
password (bit string) that can't be changed.  Sort of like a US SSN,
and of course, those are *never* stolen.  Note that the credit
reporting agencies are discussing adding your fingerprints to their
databases "for verification purposes".

Check our the Risks Digests for the past few years for some ways that
this can go wrong.

Don't get me wrong, biometrics have an important place, but they're
not a perfect solution.

-- 
Tom Perrine - tperrine at scea.com
Sony Computer Entertainment America



More information about the unisog mailing list